Last updated: 27 April 2026. We give Customers at least 30ย days' notice before adding a new sub-processor we control, and relay upstream-provider changes promptly. Subscribe to change notifications by writing to the address above.
Part A โ What we provide to our Customers
Sub-processors that process Customer Data
These third parties may process personal data we hold on a Customer's behalf as a processor under our Data Processing Agreement. We've split them into core (always engaged) and optional (engaged only by your configuration choices).
A.1 Core sub-processors(engaged for every Customer)
These are always engaged because they are the foundation of the Service. All of them are operated by Google Ireland Ltd / Google Cloud EMEA Ltd with EU contracting and EU data residency, governed by the Google Cloud Data Processing Addendum and EU Standard Contractual Clauses.
| Sub-processor | Activated when | Purpose | Data residency |
|---|---|---|---|
| Google Cloud Platform | Always โ core sub-processor | Cloud infrastructure, container hosting (Cloud Run) and primary data storage for the Mira platform, including the managed Postgres database that powers the application. | Hamina, Finland (europe-north1) |
| Google Firestore | Always โ core sub-processor | Tenant configuration, Pixel settings, leads and Shopify-app installation records. | European Economic Area |
| Google Firebase Realtime Database | Always โ core sub-processor | Live-chat conversations and real-time messaging state. | European Economic Area |
| Google Firebase Authentication | Always โ core sub-processor | Authentication for Customer staff accounts on the Serviceform Dashboard. | European Economic Area |
| Google Cloud Run | Always โ core sub-processor | Logging and stateless application services. | Finland / European Economic Area |
A.2 Optional sub-processors(engaged only by your configuration)
Each row below is engaged onlywhen the Customer enables the corresponding feature, integration or configuration choice. Customers may request a configuration that excludes any of these โ for example, an "EU-only AI" configuration that uses Google Gemini in EEA regions and disables OpenAI, or a "no-Twilio" configuration that disables outbound SMS and voice.
| Sub-processor | Activated when | Purpose | Data residency |
|---|---|---|---|
| OpenAI Ireland Ltd (compute via OpenAI OpCo, LLC) | Customer subscribes to AI chat / answer features | Large language model inference (GPT family). OpenAI Ireland Ltd is our data processor under a signed DPA dated 11 November 2024 incorporating EU SCCs Module 2 and 3. API request and response data is retained for a maximum of 30 days for abuse-monitoring before deletion. OpenAI does not use Serviceform API data to train or improve its models. Personal data is automatically redacted from end-user input before forwarding (see Privacy Policy ยง18). | Ireland (contracting); United States (compute) |
| Google AI / Gemini API | Customer subscribes to AI chat / answer features and selects Gemini | Large language model inference. Operates under enterprise API terms that bar use of Customer Data for model training. Personal data is automatically redacted from end-user input before forwarding. | European Economic Area / United States |
| Twilio (Voice and Programmable Messaging) | Customer enables voice, SMS or WhatsApp messaging features | Voice calling, SMS and WhatsApp Business messaging delivery. | European Economic Area / United States |
| Twilio SendGrid | Customer enables transactional / lead-notification email | Transactional email delivery (lead notifications, system emails). | European Economic Area (configurable EU sending region) |
| Meta Platform Integration (Facebook Messenger, Instagram Direct, WhatsApp Business) | Customer connects Meta business accounts to the Social Inbox | Routing of inbound customer-support messages from Meta-owned platforms. Message data is routed through Meta's platform under Meta's data-processing terms and the Customer's Meta data-residency configuration. | Per Meta data-residency configuration |
| Zapier | Customer enables Zapier-based forwarding (native CRM integrations are also available without Zapier) | Optional forwarding of lead-related personal data to a Customer's CRM, ERP or other system. Zapier deletes data from two months prior on the first Monday of each month. | United States |
| Microsoft Authentication (Microsoft Entra ID) | Customer's staff sign in via Microsoft Outlook SSO | Single sign-on. Stored in Microsoft data centres according to the Customer's regional configuration under Microsoft's Data Protection Addendum. | Per Customer's Microsoft tenant configuration |
| Google OAuth / Google Sign-in | Customer's staff sign in via Google Workspace SSO | Single sign-on. Stored in Google data centres according to the Customer's regional configuration under Google Cloud's Data Processing Addendum. | Per Customer's Google Workspace tenant configuration |
| Apple App Store | Customer's staff install the Serviceform iOS application | Mobile app distribution. | United States |
| Google Play Store | Customer's staff install the Serviceform Android application | Mobile app distribution. | United States |
| Cloudflare | Customer uses the Serviceform widget on a website | CDN, DDoS protection and bot mitigation for widget delivery. | Global (with EU localisation where supported) |
| Sentry | Default error-and-performance telemetry from Customer-facing endpoints (can be disabled on request) | Error tracking and performance traces with IP truncation enabled. | European Economic Area (EU-only project) |
| Elastic Cloud (Elasticsearch B.V.) | Statistics, search and live-chat indexing features | Search and analytics engine. Statistics (no PII): Finland; live-chat index: Finland; logs: Germany. | Finland and Germany (EEA) |
| Typesense | Search features inside the Serviceform Dashboard | Search index for tools, leads and configuration. | European Economic Area |
| WhatsApp Business API (via Meta or Twilio) | Customer enables WhatsApp messaging through their tools (the Customer must have its own WhatsApp Business contractual relationship) | Receiving and sending WhatsApp messages on behalf of the Customer. | Per Meta / Twilio configuration |
| HelloSign / Dropbox Sign | Electronic signature of agreements with the Customer's signatories | Electronic signatures. | United States |
Part B โ What we use for Serviceform itself
Service providers for Serviceform's own operations
These third parties support Serviceform's own business โ billing, accounting, payroll, sales, marketing, internal productivity. They do not process Customer end-user data. Where they process personal data of Serviceform website visitors, prospects, employees or business contacts, Serviceform Oy is the controller and the processing is described in our Privacy Policy.
| Service provider | Purpose for Serviceform | Data residency |
|---|---|---|
| Stripe | Payment processing for Serviceform subscriptions. Customer billing contact details only โ alternative invoice billing is available. | United States (with regional EU collection) |
| Netvisor | Finnish accounting and Finnish payroll for Serviceform employees. | Finland |
| Fortnox | Swedish accounting and Swedish payroll for Serviceform employees. | Sweden |
| QuickBooks | Bookkeeping for Serviceform group entities. | United States |
| IBAN | Bank account validation for invoicing. | Germany |
| HubSpot | Serviceform's own CRM and marketing automation (one of three CRM tools used by Serviceform). | United States |
| Pipedrive | Serviceform's own CRM and sales pipeline (one of three CRM tools used by Serviceform). | European Economic Area |
| GetAccept | Digital Sales Room for Serviceform's B2B sales process. | European Economic Area |
| Mixmax | Email sequencing and sales engagement used by Serviceform sales staff. | United States |
| Mailchimp | Serviceform's own newsletter and marketing email. | United States |
| Reply.io | Serviceform's own outbound sales engagement. | United States |
| LinkedIn Sales Navigator | Serviceform's own sales prospecting. | United States |
| Leadfeeder / Dealfront | Serviceform's own visiting-company identification (consent-based, our marketing site only). | European Economic Area |
| Google Analytics 4 | Analytics on Serviceform's own marketing websites (consent-based). | United States with EU regional collection |
| Google Tag Manager | Tag management on Serviceform's own marketing websites. | United States |
| Google Ads | Serviceform's own advertising and conversion measurement (consent-based). | European Economic Area |
| LinkedIn Ads / LinkedIn Insight Tag | Serviceform's own advertising and conversion tracking (consent-based). | European Economic Area / United States |
| Facebook Pixel / Facebook Connect | Serviceform's own advertising effectiveness measurement and authentication (consent-based). | European Economic Area / United States |
| Twitter / X Ads | Serviceform's own advertising (consent-based). | United States |
| Hotjar | Aggregated behavioural analytics on Serviceform's own marketing websites (consent-based). | Ireland |
| Mixpanel | Product analytics on the Serviceform Dashboard (consent-based). | United States |
| Usercentrics | Cookie-consent management on Serviceform's own websites. | European Economic Area |
| Slack | Serviceform's own internal communication. | United States |
| Google Workspace (Gmail, Drive, Meet) | Serviceform's own business email, file storage, video conferencing. | Per Serviceform's tenant configuration (EEA primary) |
| Microsoft 365 | Serviceform's own productivity tooling for staff who use it. | Per Serviceform's tenant configuration (EEA primary) |
| Canva | Design and creative-asset production by Serviceform staff. | Global |
| New Relic | Application-performance monitoring of Serviceform's own infrastructure. | Global |
| Drupal (managed CMS instances) | Legacy content-management for Serviceform's own marketing sites. | United States |
| Webflow | Legacy hosting of Serviceform's own marketing sites. | United States |
Customer-authorised integration destinations (e.g. your own Klaviyo, Brevo, HubSpot, Salesforce, Pipedrive, ActiveCampaign, LianaMailer, Mailchimp, Microsoft Dynamics 365, Linear, Shopify, WooCommerce, Shipit, DHL or Matkahuolto account) are not Serviceform sub-processors. When you connect such an integration, Serviceform forwards data to your own account on your explicit instruction; the receiving system is then governed by its own privacy notice and your contract with that provider. See Privacy Policy ยง14 for the controller / processor distinction.
Our supervisory authority is the Office of the Data Protection Ombudsman of Finland (tietosuoja.fi).